Fully Secure Unbounded Inner-Product and Attribute-Based Encryption

(1)

Fully Secure Unbounded Inner-Product and

Attribute-Based Encryption

Tatsuaki Okamoto NTT

[email protected] Katsuyuki Takashima

Mitsubishi Electric

[email protected] November 28, 2012

Abstract

In this paper, we present the ﬁrst inner-product encryption (IPE) schemes that are

unboundedin the sense that the public parameters do not impose additional limitations on the predicates and attributes used for encryption and decryption keys. All previous IPE schemes werebounded, or have a bound on the size of predicates and attributes given public parameters fixed at setup. The proposed unbounded IPE schemes are fully (adaptively) secure and fully attribute-hiding in the standard model under a standard assumption, the decisional linear (DLIN) assumption. In our unbounded IPE schemes, the inner-product relation is generalized, where the two vectors of inner-product can be different sizes and it provides a great improvement of efficiency in many applications. We also present the first

(2)

1 Introduction

1.1 Background

1.1.1 IPE and ABE

The notions ofinner-product encryption(IPE) andattribute-based encryption(ABE) introduced by Katz, Sahai and Waters [7] and Sahai and Waters [20] constitute an advanced class of en-cryption,functional encryption (FE), and provide more ﬂexible and ﬁne-grained functionalities in sharing and distributing sensitive data than traditional symmetric and public-key encryption as well as identity-based encryption (IBE).

In FE, there is a relation R(v, x), that determines whether a secret key associated with a parameter v can decrypt a ciphertext encrypted under another parameterx. The parameters for IPE are expressed as vectorsx(for encryption) andv(for a secret key), whereR(v, x) holds, i.e., a secret key with v can decrypt a ciphertext with x, iff v·x = 0. (Here, v·x denotes the standard inner-product.) In ABE systems, either one of the parameters for encryption and secret key is a set of attributes, and the other is an access policy (structure) or (monotone) span program over a universe of attributes, e.g., a secret key for a user is associated with an access policy and a ciphertext is associated with a set of attributes, where a secret key can decrypt a ciphertext, iff the attribute set satisfies the policy. If the access policy is for a secret key, it is called key-policy ABE (KP-ABE), and if the access policy is for encryption, it is ciphertext-policy ABE (CP-ABE).

For some applications, the parameters for encryption are required to be hidden from cipher-texts. To capture the security requirement, Katz, Sahai and Waters [7] introduced attribute-hiding (based on the same notion for hidden vector encryption (HVE) by Boneh and Waters [5]), a security notion for FE that is stronger than the basic security requirement, payload-hiding. Roughly speaking, attribute-hiding requires that a ciphertext conceal the associated parameter as well as the plaintext, while payload-hiding only requires that a ciphertext conceal the plaintext. A weaker notion of attribute-hiding than the original one [7] was given by [8]. The weaker notion is calledweakly attribute-hiding, and the original one isfully attribute-hiding. Informally, in the fully attribute-hiding, the secrecy of attribute x is ensured even against an adversary having a secret key with v such that R(v, x) holds (i.e., no information is released on x except R(v, x) holds), while it is ensured only whenR(v, x) does not hold in the weakly attribute-hiding (see Deﬁnition 5 for the deﬁnition of the fully attribute-hiding).

To the best of our knowledge, the widest class of attribute-hiding FE is IPE [7, 8, 14, 16] (KSW08, LOS+10, OT10 and OT12 schemes). Inner-products for IPE represent a fairly wide class of relations including equality tests as the simplest case (i.e., anonymous IBE and HVE are very special classes of attribute-hiding IPE), disjunctions or conjunctions of equality tests, and, more generally, CNF or DNF formulas. We note, however, that inner-product relations are less expressive than a class of relations (on span programs) for ABE, while existing ABE schemes for such a wider class of relations are not attribute-hiding but only payload-hiding.

Among the existing IPE schemes, only the OT12 IPE scheme [16] achieves thefull (adaptive)

(4)

1.1.2 Unbounded IPE and ABE

All previous constructions of IPE and ABE except the Lewko-Waters ABE scheme [11] have restriction, or arebounded, in the choice of the parameters for secret key and encryption once the public parameters have been set. The onlyunbounded ABE scheme [11], however, is selectively

secure, while they presented an unbounded hierarchical identity-based encryption (HIBE) that isfully securein the standard model. NounboundedIPE scheme has been presented. Therefore, no fully secureandunbounded scheme for an advanced class of encryption like IPE or ABE has been presented.

In practice, it is highly desirable that the parameters for secret key and encryption should be ﬂexible or unbounded by the public parameters ﬁxed at setup, since if we set the public pa-rameters for a possible maximum size (e.g., the maximum dimension of predicate and attribute vectors for IPE), the size of the public parameters should be huge.

Removing the restrictions for fully secure IPE and ABE, however, is quite challenging. As mentioned above, nofully secureandunboundedscheme for an advanced class of encryption like IPE or ABE has been presented. The diﬃculty resides in the existing techniques for proving thefull (or adaptive) security of such an advanced class of encryption.

The only known technique to prove the full security of an (attribute-hiding) IPE or ABE system is the dual system encryption by Waters [21] and its extension [16]. In the techniques, information theoretical arguments (e.g., conceptual change due to the same distribution and the independent randomness of two distributions etc.) over some (hidden) parts of a secret-key and challenge ciphertext play a key role in the security proof, provided that the adversary follows the secret-key-query condition in the security games. To execute a security proof based on the information theoretical arguments, an appropriate distribution of randomness consistent with the key-query condition should be supplied in the proof games transformed from the original proof game.

As for bounded IPE and ABE schemes, the public parameters can supply immanent ran-domness enough for the arguments, since the size of parameters for secret-keys and encryption is bounded by the public parameters. For example, when the dimension of vectors for IPE is required to be n, the public parameters whose size is O(n) with respect to n should be given in bounded IPE, and the size of secret randomness to generate the public parameter is O(n2). Such an amount of randomness can be enough for the arguments overn-dimensional vectors.

(5)

1.1.3 Restriction on IPE

The existing IPE schemes have another restriction on the parameters (i.e., vectors) for secret key and encryption that the dimensions of x (for encryption) and v (for a secret key) should be equivalent. Such a restriction may be considered to be inevitable for the inner-product relation onv·x, but it is required to be relaxed in various applications to improve the eﬃciency, especially inunboundedIPE systems where the setup (public) parameters give no restriction on the dimensions of vectors.

Let us consider an example on a genetic profile data of an individual. It is desirable that such a sensitive data be treated as encrypted data even for data processing and retrievals. Although a genetic profile may include a large amount of information, only a part of the profile is examined in many applications. For example, let X₁, . . . , X₁₀₀ be variables of 100 genetic properties andx₁, . . . , x₁₀₀ be Alice’s values of these variables. To evaluate iff(x₁, . . . , x₁₀₀) = 0 for any examination (multivariate) polynomial f with degree 3, or the truth value of the corresponding predicateφ_f(x₁, . . . , x₁₀₀), the attribute vector x of Alice should be a monomial vector of Alice’s values with degree 3,x:= (1, x₁, . . . , x₁₀₀, x2₁, x₁x₂, . . . , x2₁₀₀, x3₁, x2₁x₂, . . . , x3₁₀₀), whose dimension is around 106. A predicate vectorv for a secret key can be associated with predicateφ_f.

To ensure the private data processing of x, it should be encrypted (say cfor a ciphertext of

x) by afully attribute-hidingIPE scheme, since whetherφ_f(x₁, . . . , x₁₀₀) holds can be examined with releasing no other information by checking whether c can be decrypted by a secret key withv (i.e.,R(v, x) holds). Here, if cis encrypted by fully attribute-hiding IPE, it releases no information onxexcept thatR(v, x) holds, orφ_f(x₁, . . . , x₁₀₀) holds, however, if it is encrypted by weaklyattribute-hiding IPE, such desirable security cannot be ensured.

Let a predicate for v be ((X₅ = a) ∨(X₁₆ = b))∧(X₅₇ = c), which focuses only three factors, X₅, X₁₆, X₅₇, among the 100 genetic properties. It can be represented by a polynomial equation,r₁(X₅−a)(X₁₆−b) +r₂(X₅₇−c) = 0 (where r₁, r₂←UF_q), i.e., (r₁ab−r₂c)−r₁bX₅− r₁aX₁₆+r₂X₅₇+r₁X₅X₁₆= 0. In order thatr₁(x₅−a)(x₁₆−b) +r₂(x₅₇−c) = 0 iﬀv·x= 0, vector v should be ((r₁ab−r₂c),0, . . . ,0,−r₁b,0, . . . ,0,−r₁a,0, . . . ,0, r₂,0, . . . ,0, r₁,0, . . . ,0), whose dimension is equivalent to that ofx, i.e., around 106, although the eﬀective dimension of v is just 5. This is due to the above-mentioned restriction on the inner-product relation of the existing IPE schemes. The size of secret key forvthen should be in proportion to the dimension of v (andx), around 106. This example shows us a strong practical motivation, especially for

unbounded IPE schemes, to relax this restriction on the inner-product relation and to shorten the length of the secret key to that in proportion to the eﬀective dimension, e.g., 5, instead of around 106.

1.2 Our Results

1. This paper introduces a new concept of IPE, generalized IPE, which relaxes the above-mentioned restriction of IPE and consists of three types of IPE, Types 0, 1 and 2. Here the notion of Types 1 and 2 is introduced in this paper, and Type 0 is the traditional one (see Remark below).

(6)

ap-Table 1: Comparison of attribute-hiding IPE schemes, where |G|and |G_T|represent size of an element of G and that of G_T, respectively. AH, IP, PK, SK, CT, GSD and eDDH stand for attribute-hiding, inner-product, master public key (public parameters), secret key, ciphertext, general subgroup decision [3] and extended decisional Diﬃe-Hellman [8], respectively. And, n:=I_v andn :=I_x. (Then, n=n except for the proposed unbounded IPE schemes.)

KSW08 [7] LOS+10 [8] OT10 [14] OT12 [16] Proposed IPE

(basic) (variant) (type 1 or 2) Section 5.1

(type 0) Section 5.3

Bounded or

Unbounded bounded bounded bounded bounded unbounded

Restriction on

IP relation restricted

∗ _restricted _restricted _restricted _relaxed _restricted

Security selective & fully-AH

adaptive & weakly-AH

adaptive & fully-AH

adaptive & fully-AH Order

ofG composite prime prime prime prime

Assump. 2 variants

of GSD n-eDDH DLIN DLIN DLIN

PK size O(n)|G| O(n2)|G| O(n2)|G| O(n2)|G| O(n)|G| O(1)|G| O(1)|G| SK size (2n+ 1)|G| (2n+ 3)|G| (3n+ 2)|G| (4n+ 2)|G| 11|G| (15n+ 5)|G| (21n+ 9)|G|

CT size (2n+ 1)|G| +|GT|

(2n+ 3)|G| +|GT|

(3n+ 2)|G| +|GT|

(4n+ 2)|G| +|GT|

(5n+ 1)|G| +|GT|

(15n+ 5)|G| +|GT|

(21n+ 9)|G| +|GT|

* It can be easily relaxed.

plication. Here note that we abuse the same vector notation, v, for the new expres-sion as well as for the conventional one, (v₁, . . . , v_n). In the above-mentioned exam-ple, x := {(1,1),(2, x₁), . . . ,(101, x₁₀₀),(102, x2₁),(103, x₁x₂), . . . ,(n, x3₁₀₀)} where I_x := {1,2, . . . , n}, and v := {(1, r₁ab− r₂c),(6,−r₁b),(17,−r₁a),(58, r₂),(517, r₁)} where I_v:={1,6,17,58,517}. The generalized inner-product ofvoverxis deﬁned by_t_∈_I

vvtxt

ifI_v⊆I_x. Otherwise, it is undeﬁned. By using the generalized inner-product notion, the secret key size can be in proportion to the eﬀective dimension (e.g., 5 instead of around 106).

We then introduce three types of IPE schemes. For Type 1, relation R(v, x) holds iff the generalized inner-product of v over x is 0, while for Type 2 it holds iff the generalized inner-product of x overv is 0. We call Type 0 for the conventional inner-products, i.e., relationR(v, x) is defined by the standard inner-product ofv and x, wherev and x have the same dimension (in other words, the inner-product for Type 0 is defined iff these dimensions are equivalent.)

2. We present the ﬁrst unbounded inner-product encryption (IPE) schemes. The proposed unbounded IPE schemes are fully (adaptively) secure and fully attribute-hiding in the standard model under a standard assumption, the decisional linear (DLIN) assumption. The proposed unbounded IPE schemes consist of the above-mentioned types of generalized IPE, Types 0, 1 and 2, For comparison of attribute-hiding IPE schemes, see Table 1.

(7)

Table 2: Comparison ofKP-ABE Schemes, where|G|represents the size of an element ofG, and PK, SK, CT and GSD stand for master public key (public parameters), secret key, ciphertext and general subgroup decision [3], respectively. And, d, n, nmax, and kmax are the number

of sub-universes of attributes, the number of attributes for a CT, the maximum number of attributes for a CT, the row size of an access policy matrix for a SK and the maximum value of the degree of access policies, respectively.

LW11 [11] LOS+10 [8] OT10 [14] Proposed KP-ABE

(basic) (modiﬁed) (basic) (modiﬁed) (basic) Section 6.1

(modiﬁed) Section 6.2

Bounded or

Unbounded unbounded bounded bounded unbounded

Security selective full full full

Order of G composite composite prime prime

Assump. GSD GSD DLIN DLIN

Degree of

access policies arbitrary 1 arbitrary 1 arbitrary 1 arbitrary

PK size O(1)|G| O(nmax)|G| O(d)|G| O(1)|G|

SK size O()|G| O()|G| O()|G| O()|G|

CT size O(n)|G| O(n)|G| O(kmaxn)|G| O(n)|G| O(kmaxn)|G| O(n)|G| O(kmaxn)|G|

payload-hiding) in the standard model. The proposed unbounded ABE schemes are fully secure under the DLIN assumption, and are for a wide class of relations, non-monotone access structures. See Table 2 for comparison of KP-ABE schemes.

Remark: Similarly to the existing fully secure ABE schemes in the standard model [8, 14, 10] except [12], our basic ABE scheme (Section 6.1) has a restriction that the degree of access policies is 1 1. A modified KP-ABE scheme is shown in Section 6.2 to relax the restriction or to achieve an arbitrary degree kof access policies with preserving the fully secure and unbounded property. It, however, shares a shortcoming of the existing fully secure (modified) ABE schemes [8, 14, 10] that the ciphertext size grows linearly withk. Here, a (maximum) value ofkcan be determined in each application of our ABE scheme, while the public parameters are fixed and commonly shared by all applications and users.

1.3 Key Techniques

As mentioned above, the difficulty of realizing a fully secure unbounded IPE or ABE scheme arises from the hardness of supplying an unbounded amount of randomness consistent with the complicated key-query condition for the (dual system encryption) security arguments on IPE or ABE. To overcome this difficulty, we develop novel techniques, indexing and consistent randomness amplification, on the dual system encryption and the dual pairing vector spaces (DPVS). Roughly speaking, the indexing technique is for supplying a source of unbounded amount of randomness and theconsistent randomness amplificationtechnique is for amplifying the randomness of the source through a computational assumption (e.g., the DLIN assumption

(8)

in our case) and the randomness of hidden bases as well as for adjusting the distribution of the ampliﬁed randomness to be consistent with a condition. This methodology could provide a general framework for proving the security in unbounded situations.

In DPVS, a pair of dual (or orthonormal) bases for N-dimensional linear spaces, B := (b₁, . . . ,b_N) and B∗ := (b∗₁, . . . ,b∗_N), are randomly generated using a secret random linear transformation X (random N ×N matrix) (see Section 2). In a typical application of DPVS to cryptography, a part of B(say ˆB) is used as a public key (public parameters), andB∗ as a secret key, where X is the top level secret key and the source of randomness.

In a typical construction of bounded IPE schemes [8, 14, 16] which are based on DPVS, once a basis of DPVS, a part of the basis of a N-dimensional space is published as public parameters, the dimension n of predicate and attribute vectors for secret key and encryption is bounded or ﬁxed, e.g., n ≤ N/4 (i.e., N = O(n)). The full security is proven through the information theoretical arguments, and the randomness of secret matrixX (e.g., the amount of the randomness isO(n2)) supplies enough randomness for the arguments.

In contrast, the dimension, n, of the predicate and attribute vectors is not bounded by the public parameters inunboundedIPE. For example, in one of the proposed IPE schemes (Section 5), the public parameters consist of a constant number of elements, 9 elements of bases (or 105 pairing group elements), B₀ := (b₀_,₁,b₀_,₃,b₀_,₅) and B := (b₁, . . . ,b₄,b₁₄,b₁₅), where random matrices of constant sizes, X₀ ←U F5_q×5 and X₁ ←U F15_q ×15, are employed to generate the public parameters. The randomness of the public parameters, just a constant amount with respect to n, is clearly insuﬃcient for the (dual system encryption) arguments on the proof of full security. To supply additional randomness for the purpose, in our IPE schemes, we introduce a tech-nique calledindexing, where two-dimensional index vectors,σ_t(1, t) andμ_t(t,−1) are embedded into ciphertextc_tand secret keyk∗_t, respectively, whereσ_tandμ_tare freshly random for each t. In our IPE scheme (Section 5) wheren=n for simplicity, for example, secret key (k∗₁, . . . ,k∗_n) forv:= (v₁, . . . , v_n) can be expressed by a coeﬃcient vector, (μ_t(t,−1), δv_t, . . .), fort= 1, . . . , n, over basis B∗, i.e., k_t∗ := (μ_t(t,−1), δv_t, . . .)_B∗ and ciphertext (c₁, . . . ,c_n) for x := (x₁, . . . , x_n) can be expressed by c_t:= (σ_t(1, t), ωx_t, . . .)_B fort= 1, . . . , n, whereδ, ω are randomly selected. While the size of the public parameters or its randomness is constant in n, an unbounded amount of randomness, {μ_t}_t₌₁_,...,n,{σ_t}_t₌₁_,...,n, can be supplied to secret key and ciphertext. This is a key idea of theindexing technique.

Although the technique supplies an unbounded amount of randomness, i.e., O(n)-size of randomness, it is not enough for our purpose. We need more and a specific distribution of randomness. This is because: in the proof of full security on dual system encryption and the extension, such arealrandomness provided by the indexing technique should be expanded into a hidden part in spaces over bases B and B∗, and the distribution should be also adjusted to (or consistent with) the key-query condition for IPE or ABE. For this purpose, i.e., in order to amplify the randomness to a hidden subspace and to adjust it to a specific distribution, we develop another technique,consistent randomness amplification.

(9)

hidden subspaces. For example, as mentioned above, a real secret key {k∗_t} and ciphertext {c_t} are expressed by k∗_t := (μ_t(t,−1), δv_t, s_t, 07 , . . .)_B∗ and c_t := (σ_t(1, t), ωx_t, ω, 07 , . . .)_B. This technique provides a transformation (for the dual system encryption technique and the extension) to the following forms: k∗_t := (μ_t(t,−1), δv_t, s_t, 04,(πv_t, a_t)·U_t,0, . . .)_B∗ and c_t:= (σ_t(1, t), ωx_t, ω, . . . , (τ x_t,τ)·Z_t, 0, . . .)_B, where Z_t is an independently random 2×2 ma-trix for each t and U_t := (Z_tT)−1, and other new variables are random. Here, the box-framed parts are the information theoretically hidden subspaces, the randomness of the hidden parts is ampliﬁed and the distribution of (πv_t, a_t)·U_tand (τ x_t,τ)·Z_t is consistent with the key-query condition.

The consistent randomness ampliﬁcation technique is composed of several computational and conceptual (information theoretical) transformations. One of the key tricks of the trans-formations is to amplify a source of randomness to a hidden part by applying a computational assumption, the DLIN assumption. Another computational trick is to swap two vectors in diﬀerent positions under DLIN. Information theoretical key tricks are inter-subspace and intra-subspace types of conceptual transformations (see Section 7 for more details).

The security proofs of our IPE and ABE schemes are hierarchically constructed in a modular manner. The very top level of the security proof is based on the dual system encryption and its extension. Several problems in the middle level support the top level arguments. Our key techniques, the indexing and consistent randomness ampliﬁcation techniques, which are also constructed in a hierarchical manner, are employed in the lowest level to reduce the hardness of the middle level problems to the DLIN assumption. The top level of the security proof of our IPE scheme (forκ= 1) is outlined in Section 5.1.7, and that of our ABE scheme is outlined in the upper part of Figure 2 in Appendix A.4.

1.4 Notations

When A is a random variable or distribution, y ←R A denotes that y is randomly selected from A according to its distribution. When A is a set, y ←U A denotes that y is uniformly selected from A. We denote the ﬁnite ﬁeld of order q by F_q, F_q \ {0} by F_q×, and the set of positive integers by N. A vector symbol denotes a vector representation over F_q, e.g., x denotes (x₁, . . . , x_n) ∈ F_qn. The vector 0 is abused as the zero vector in F_qn for any n. XT denotes the transpose of matrix X. I and 0 denote the × identity matrix and the × zero matrix, respectively. A bold face letter denotes an element of vector space V, e.g., x∈V. When b_i ∈V(i= 1, . . . , n),spanb₁, . . . ,b_n ⊆V(resp. spanx₁, . . . , x_n ) denotes the subspace generated by b₁, . . . ,b_n (resp. x₁, . . . , x_n). For basesB:= (b₁, . . . ,b_N) and B∗ := (b∗₁, . . . ,b∗_N), (x₁, . . . , x_N)_B := N_i₌₁x_ib_i and (y₁, . . . , y_N)_B∗ := N_i₌₁y_ib_i∗. e₁ and e₂ denote the canonical basis vectors inF2_q, i.e.,e₁ := (1,0) ande₂:= (0,1). GL(n,F_q) denotes the general linear group of degree noverF_q.

2 Dual Pairing Vector Spaces by Direct Product of Symmetric

Pairing Groups

Deﬁnition 1 “Symmetric bilinear pairing groups” (q,G,G_T, G, e) are a tuple of a prime q, cyclic additive group Gand multiplicative group G_T of order q, G= 0∈G, and a polynomial-time computable nondegenerate bilinear pairing e:G×G→G_T i.e.,e(sG, tG) =e(G, G)st _and e(G, G)= 1. Let Gbpg be an algorithm that takes input 1λ and outputs a description of bilinear

(10)

Deﬁnition 2 “Dual pairing vector spaces (DPVS)”(q,V,G_T,A, e) by a direct product of sym-metric pairing groups (q,G,G_T, G, e) are a tuple of prime q, N-dimensional vector space V:=

N

G× · · · ×G over F_q, cyclic group G_T of order q, canonical basis A := (a₁, . . . ,a_N) of V,

where a_i := ( i−1 0, . . . ,0, G,

N−i

0, . . . ,0), and pairing e : V×V → G_T. The pairing is deﬁned by

e(x,y) := N_i₌₁e(G_i, H_i) ∈ G_T where x := (G₁, . . . , G_N) ∈ V and y := (H₁, . . . , H_N) ∈ V. This is nondegenerate bilinear i.e., e(sx, ty) =e(x,y)st and if e(x,y) = 1 for all y∈V, then

x = 0. For all i and j, e(a_i,a_j) = e(G, G)δi,j _where _δ

i,j = 1 if i = j, and 0 otherwise, and e(G, G)= 1∈G_T. DPVS generation algorithm Gdpvs takes input 1λ (λ∈N) and N ∈N, and

outputs a description ofparam_V:= (q,V,G_T,A, e)with security parameterλandN-dimensional

V. It can be constructed by using Gbpg.

For matrix W := (w_i,j)_i,j₌₁_,...,N ∈F_qN×N and element x:= (G₁, . . . , G_N) in N-dimensional

V, xW denotes (N_i₌₁G_iw_i,₁, . . . ,N_i₌₁G_iw_i,N) =(N_i₌₁w_i,₁G_i, . . . ,N_i₌₁w_i,NG_i) by a natural multiplication of a N-dim. row vector and a N ×N matrix. Thus it holds an associative law, i.e., (xW₁)W₂ =x(W₁W₂).

For the asymmetric version of DPVS, see Appendix A.2 in [14]. We describe random dual orthonormal basis generator Gob, which is used as a subroutine in our IPE and ABE schemes.

Gob(1λ,(Nt)t=0,1) :paramG := (q,G,GT, G, e)

R

← Gbpg(1λ), ψ U

←F×

q , fort= 0,1, param_V_t := (q,V_t,G_T,A_t, e) :=Gdpvs(1λ, Nt,paramG),

X_t:= (χ_t,i,j)_i,j₌₁_,...,N_t ←UGL(N_t,F_q), X_t∗ := (ϑ_t,i,j)_i,j₌₁_,...,N_t :=ψ·(X_tT)−1, hereafter,

χ_t,i andϑ_t,i denote the i-th rows of X_t and X_t∗ fori= 1, . . . , N_t, respectively,

b_t,i := (χ_t,i)_A_t =N_j₌₁t χ_t,i,ja_t,j fori= 1, . . . , N_t, B_t:= (b_t,₁, . . . ,b_t,N_t), b∗_t,i := (ϑ_t,i)_A_t =N_j₌₁t ϑ_t,i,ja_t,j fori= 1, . . . , N_t, B∗_t := (b∗_t,₁, . . . ,b∗_t,N_t), g_T :=e(G, G)ψ, param:= ({param_V_t}_t₌₀_,₁, ψG, g_T), return (param,B,B∗).

We note that g_T =e(b_t,i,b∗_t,i) for t= 0,1;i= 1, . . . , N_t. Hereafter, for simplicity, we denote N :=N₁,V:=V₁,A:=A₁,B:=B₁ and B∗ :=B∗₁ for variables witht= 1.

3 Decisional Linear (DLIN) Assumption

Deﬁnition 3 (DLIN: Decisional Linear Assumption [4]) The DLIN problem is to guess

β ∈ {0,1}, given (param_G, G, ξG, κG, δξG, σκG, Y_β)← GR _βDLIN(1λ), where

GDLIN

β (1λ) :paramG := (q,G,GT, G, e)

R

← Gbpg(1λ),

κ, δ, ξ, σ←UF_q, Y₀ := (δ+σ)G, Y₁←UG, return (param_G, G, ξG, κG, δξG, σκG, Y_β),

forβ ← {U 0,1}. For a probabilistic machineF, we deﬁne the advantage ofF for the DLIN

prob-lem as: AdvDLIN_F (λ) := Pr

F(1λ, )→1 ←GR ₀DLIN(1λ)

−Pr

F(1λ, )→1 ←GR ₁DLIN(1λ).

The DLIN assumption is: For any probabilistic polynomial-time adversary F, the advantage

(11)

4 Definitions of Generalized Inner-Product Encryption (IPE)

and Attribute-Based Encryption (ABE)

4.1 Generalized Inner-Product Encryption

This section deﬁnes generalized inner product encryption (IPE) and its security.

The parameters of generalized inner-product predicates are expressed as a vector x := {(t, xt)|t ∈ Ix, xt ∈ Fq} \ {0} with finite index set Ix ⊂ N for encryption and a vector v := {(t, v_t)|t ∈ I_v, v_t ∈F_q} \ {0} with finite index set I_v ⊂ N for a secret key, respectively. Here there are three types of unbounded IPE with respect to the decryption condition. For Type 1, R(v, x) = 1 iff I_v ⊆ I_x and _t_∈_I

vvtxt = 0. For Type 2, R(v, x) = 1 iﬀ Iv ⊇ Ix and

t∈Ixvtxt= 0.

We will consider Type 0 inner-product predicate only for conventional preﬁx type vectors v:= (v₁, . . . , v_n) and x := (x₁, . . . , x_n). For Type 0, R(v, x) = 1 iﬀ n = n and v ·x :=

n

t=1vtxt= 0.

Deﬁnition 4 An inner product encryption scheme (for generalized inner-product relationR(v, x)) consists of probabilistic polynomial-time algorithmsSetup,KeyGen,Enc andDec. They are given as follows:

Setuptakes as input security parameter1λ. It outputs public parameterspkand (master) secret key sk.

KeyGen takes as input public parameters pk, secret key sk, and vector v. It outputs a corre-sponding secret keysk_v.

Enc takes as input public parameters pk, message m in some associated message space, msg, and vector x. It returns ciphertext ct_x.

Dec takes as input the master public keypk, secret key sk_v and ciphertextct_x. It outputs either

m ∈msg or the distinguished symbol ⊥.

A generalized IPE scheme should have the following correctness property: for all (pk,sk)←R

Setup(1λ), all vectors v and x, all secret keys sk_v ←R KeyGen(pk,sk, v), all messages m, all ciphertext ct_x ←R Enc(pk, m, x), it holds thatm=Dec(pk,sk_v,ct_x) if R(v, x) = 1. Otherwise, it holds with negligible probability.

Deﬁnition 5 The model for deﬁning the adaptively fully-attribute-hiding security ofIP E against adversary A(under chosen plaintext attacks) is given by the following game:

Setup The challenger runs the setup algorithm, (pk,sk)←R Setup(1λ₎_{, and gives public}

param-eters pk to A.

Phase 1 A may adaptively make a polynomial number of key queries for vectors, v, to the challenger. In response, the challenger gives the corresponding keysk_v ←R KeyGen(pk,sk, v)

to A.

Challenge A submits challenge vectors (x(0), x(1)) with the same index set I_x(0) = I_x(1) (or n(0) = n(1) for Type 0) and challenge messages (m(0), m(1)), subject to the following restrictions:

(12)

• Two challenge messages are equal, i.e., m(0) =m(1), and any key queryv in Phase 1 satisﬁes R(v, x(0)) =R(v, x(1)).

The challenger ﬂips a coinb← {U 0,1}, and gives ct_x(b) ←REnc(pk, m(b), x(b)) to A.

Phase 2 Phase 1 is repeated with the above restriction for key queryvand challenge,(x(0), x(1))

and (m(0), m(1)).

Guess A outputs a bit b, and wins if b =b.

The advantage of A in the above game is deﬁned as AdvIPE_A ,AH(λ) := Pr[A wins ]−1/2 for any security parameter λ. An IPE scheme is adaptively fully-attribute-hiding (AH) against cho-sen plaintext attacks if all probabilistic polynomial-time adversaries A have at most negligible advantage in the above game. For each run of the game, the variable s is deﬁned as s := 0 if

m(0) =m(1) for challenge messages m(0) and m(1), and s:= 1 otherwise.

4.2 Attribute-Based Encryption with Non-Monotone Access Structures

4.2.1 Span Programs and Non-Monotone Access Structures

Deﬁnition 6 (Span Programs [2]) Let {p₁, . . . , p_n} be a set of variables. A span program over F_q is a labeled matrixMˆ := (M, ρ) where M is a (×r) matrix overF_q and ρis a labeling of the rows ofM by literals from{p₁, . . . , p_n,¬p₁, . . . ,¬p_n}(every row is labeled by one literal), i.e., ρ:{1, . . . , } → {p₁, . . . , p_n,¬p₁, . . . , ¬p_n}.

A span program accepts or rejects an input by the following criterion. For every input sequenceδ ∈ {0,1}n deﬁne the submatrix M_δ of M consisting of those rows whose labels are set to 1 by the input δ, i.e., either rows labeled by somep_i such thatδ_i = 1 or rows labeled by some

¬p_i such that δ_i = 0. (i.e., γ :{1, . . . , } → {0,1} is deﬁned by γ(j) = 1 if [ρ(j) =p_i]∧[δ_i = 1]

or [ρ(j) =¬p_i]∧[δ_i= 0], and γ(j) = 0otherwise. M_δ := (M_j)_γ₍_j₎₌₁, where M_j is thej-th row of M.)

The span program Mˆ acceptsδ if and only if1∈spanM_δ , i.e., some linear combination of the rows ofM_δ gives the all one vector1. (The row vector has the value 1 in each coordinate.) A span program computes a Boolean functionf if it accepts exactly those inputsδ where f(δ) = 1. A span program is called monotone if the labels of the rows are only the positive literals

{p₁, . . . , p_n}. Monotone span programs compute monotone functions. (So, a span program in general is “non”-monotone.)

We assume that no row M_i (i= 1, . . . , ) of the matrix M is0. We now introduce a non-monotone access structure with evaluating map γ that is employed in the proposed attribute-based encryption schemes.

Deﬁnition 7 (Access Structures) U_t (t = 1, . . . , d and U_t ⊂ {0,1}∗) is a sub-universe, a set of attributes, each of which is expressed by a pair of sub-universe id and value of attribute, i.e., (t, v), where t∈ {1, . . . , d} and v∈F_q.

We now deﬁne such an attribute to be a variable pof a span programMˆ := (M, ρ), i.e.,p:= (t, v). An access structureS is span program Mˆ := (M, ρ) along with variablesp:= (t, v), p := (t, v), . . ., i.e., S:= (M, ρ) such that ρ:{1, . . . , } → {(t, v),(t, v), . . . ,¬(t, v),¬(t, v), . . .}.

Let Γ be a set of attributes, i.e., Γ :={(t, x_t)|x_t ∈F_q,1≤t≤d}, where 1≤t≤d means that tis an element of some subset of {1, . . . , d}.

When Γ is given to access structure S, map γ :{1, . . . , } → {0,1} for span program Mˆ := (M, ρ)is deﬁned as follows: Fori= 1, . . . , , setγ(i) = 1if[ρ(i) = (t, v_i)]∧[(t, x_t)∈Γ]∧[v_i =x_t]

(13)

We now construct a secret-sharing scheme for a non-monotone access structure or span program.

Deﬁnition 8 A secret-sharing scheme for span programMˆ := (M, ρ) is:

1. Let M be ×r matrix. Let column vector fT := (f₁, . . . , f_r)T ←UF_qr. Then, s₀ :=1·fT= _r

k=1fk is the secret to be shared, and sT := (s1, . . . , s)T := M ·fT is the vector of

shares of the secret s₀ and the share s_i belongs to ρ(i).

2. If span program Mˆ := (M, ρ) accept δ, or access structure S := (M, ρ) accepts Γ, i.e.,

₁ _∈ _span_(M_i₎

γ(i)=1 with γ : {1, . . . , } → {0,1}, then there exist constants {αi ∈ Fq | i∈I} such that I ⊆ {i ∈ {1, . . . , } | γ(i) = 1} and _i_∈_Iα_is_i =s₀. Furthermore, these constants {α_i} can be computed in time polynomial in the size of matrixM.

4.2.2 Key-Policy Attribute-Based Encryption

In key-policy attribute-based encryption (KP-ABE), encryption (resp. a secret key) is associated with attributes Γ (resp. access structure S). Relation R for KP-ABE is deﬁned asR(S,Γ) = 1 iﬀ access structureS accepts Γ.

Deﬁnition 9 (Key-Policy Attribute-Based Encryption: KP-ABE) A key-policy attribute-based encryption scheme consists of probabilistic polynomial-time algorithmsSetup,KeyGen,Enc

and Dec. They are given as follows:

Setup takes as input security parameter 1λ. It outputs public parameters pk and master secret key sk.

KeyGen takes as input public parameters pk, master secret key sk, and access structure S := (M, ρ). It outputs a corresponding secret key sk_S.

Enc takes as input public parameters pk, message m in some associated message space msg, and a set of attributes, Γ :={(t, x_t)|x_t∈F_q,1≤t≤d}. It outputs a ciphertext ct_Γ.

Dec takes as input public parameters pk, secret key sk_S for access structure S, and ciphertext

ct_Γ that was encrypted under a set of attributes Γ. It outputs either m ∈ msg or the distinguished symbol ⊥.

A KP-ABE scheme should have the following correctness property: for all (pk,sk) ←R

Setup(1λ), all access structures S, all secret keys sk_S ←R KeyGen(pk, sk,S), all messages m, all attribute sets Γ, all ciphertextsct_Γ←R Enc(pk, m,Γ), it holds thatm=Dec(pk,sk_S,ct_Γ) if S accepts Γ. Otherwise, it holds with negligible probability.

Deﬁnition 10 The model for deﬁning the adaptively payload-hiding security of KP-ABE under chosen plaintext attack is given by the following game:

Setup The challenger runs the setup algorithm, (pk,sk)←R Setup(1λ), and gives public param-eters pk to the adversary.

(14)

Challenge The adversary submits two messagesm(0), m(1) and a set of attributes,Γ, provided that no S queried to the challenger in Phase 1 accepts Γ. The challenger ﬂips a coin

b← {U 0,1}, and computes ct(_Γb)←R Enc(pk, m(b),Γ). It gives ct(_Γb) to the adversary.

Phase 2 Phase 1 is repeated with the restriction that no queried S accepts challenge Γ.

Guess The adversary outputs a guess b of b, and wins if b =b.

The advantage of adversaryAin the above game is deﬁned asAdvKP_A -ABE,PH(λ) := Pr[Awins ]− 1/2 for any security parameter λ. A KP-ABE scheme is adaptively payload-hiding secure if all polynomial time adversaries have at most a negligible advantage in the above game.

4.2.3 Ciphertext-Policy Attribute-Based Encryption

Deﬁnition 11 (Ciphertext-Policy Attribute-Based Encryption : CP-ABE) A ciphertext-policy attribute-based encryption scheme consists of four algorithms.

Setup takes as input security parameter. It outputs the public parameters pk and a master key

sk.

KeyGen takes as input a set of attributes, Γ := {(t, x_t)|x_t ∈ F_q,1 ≤ t ≤ d}, pk and sk. It outputs a decryption key.

Enc takes as input public parameters pk, message m in some associated message space msg, and access structure S:= (M, ρ). It outputs the ciphertext.

Dec takes as input public parameters pk, decryption key sk_Γ for a set of attributes Γ, and ciphertext ct_S that was encrypted under access structure S. It outputs either m ∈msg or the distinguished symbol ⊥.

A CP-ABE scheme should have the following correctness property: for all (pk,sk) ←R

Setup(1λ), all attribute sets Γ, all decryption keys sk_Γ ←R KeyGen(pk,sk,Γ), all messages m, all access structures S, all ciphertexts ct_S ←R Enc(pk, m,S), it holds that m =Dec(pk,sk_Γ,ct_S) with overwhelming probability, ifS accepts Γ.

Deﬁnition 12 The model for proving the adaptively payload-hiding security of CP-ABE under chosen plaintext attack is:

Setup The challenger runs the setup algorithm, (pk,sk) ←R Setup(1λ), and gives the public parameters pk to the adversary.

Phase 1 The adversary is allowed to issue a polynomial number of queries, Γ, to the challenger or oracle KeyGen(pk,sk,·) for private keys, sk_Γ associated with Γ.

Challenge The adversary submits two messages m(0), m(1) and an access structure, S := (M, ρ), provided that the S does not accept any Γ sent to the challenger in Phase 1.

The challenger ﬂips a random coin b← {U 0,1}, and computes ct(_Sb) ←R Enc(pk, m(b),S). It gives ct(_Sb) to the adversary.

(15)

Guess The adversary outputs a guess b of b.

The advantage of an adversaryAin the above game is deﬁned asAdvCP_A -ABE,PH(λ) := Pr[b= b]−1/2 for any security parameter λ. A CP-FE scheme is adaptively payload-hiding secure if all polynomial time adversaries have at most a negligible advantage in the above game.

We note that the model can easily be extended to handle chosen-ciphertext attacks (CCA) by allowing for decryption queries in Phase 1 and 2.

5 Proposed IPE Schemes

5.1 Type 1 IPE Scheme

5.1.1 Construction Idea for Our Type 1 and 2 IPE Schemes

In the existing constructions [13, 8, 14, 15, 16, 17] of IPE on DPVS, around cn (c ≥ 1) di-mensional vector spaces are used for n-dimensional attribute and predicate vectors. Here, the vectors are encoded in an n-dimensional subspace. Although this is a typical strategy of con-structing IPE on DPVS, we cannot employ this idea in the unbounded setting, where we can use only constant dimensional spaces. In our construction, each component x_t of x (resp.v_t of v) is encoded in a constant dimensional space. In order to meet the decryption condition, we employ the indexing technique and n-out-of-n secret sharing trick. For example, in Type 1 construction, 4-dimensional vector (μ_t(t,−1), δv_t, s_t) is encoded in key k∗_t, and (σ_t(1, t), ωx_t,

ω) is encoded in ciphertext c_t. The ﬁrst 2-dimension is used for indexes, ands_t in the fourth component of k∗_t is for the secret sharing. Informally, a ciphertext can be decrypted if all n pieces of shares s_t are recovered. A Type 2 IPE scheme can be constructed from our Type 1 scheme by setting the secret-sharing mechanism in the ciphertext side instead of the secret key side.

5.1.2 Construction

Let d := poly(λ), where poly(·) is an arbitrary polynomial. Random dual basis generator Gob(1λ,(Nt)t=0,1) is deﬁned at the end of Section 2. We refer to Section 1.4 for notations on DPVS.

Setup(1λ) : (param,(B₀,B∗₀),(B,B∗))← GR ob(1λ,(N0 := 5, N := 15)),

B0 := (b₀_,₁,b₀_,₃,b₀_,₅), B := (b₁, ..,b₄,b₁₄,b₁₅),

B∗

0 := (b∗0,1,b0∗,3,b∗0,4), B∗ := (b∗1, ..,b∗4,b∗12,b∗13), return pk:= (1λ,param,B₀,B), sk:= (B∗₀,B∗).

KeyGen(pk, sk, v:={(t, v_t)|t∈I_v ⊆ {1, . . . , d}}) :s_t, δ, η₀ ←U F_q fort∈I_v, s₀ :=_t_∈_I

vst,

k₀∗:= ( −s₀, 0, 1, η₀, 0 )_B∗ 0,

4

7 2 2

fort∈I_v, μ_t, η_t,₁, η_t,₂ ←UF_q, k∗_t := ( μ_t(t, −1), δv_t, s_t, 07, η_t,₁, η_t,₂, 02 )_B∗, return sk_v:= (I_v,k∗₀,{k∗_t}_t_∈_I_v).

Enc(pk, m, x:={(t, x_t)|t∈I_x⊆ {1, . . . , d}}) : ω,ω, ζ, ϕ₀ ←UF_q, c₀:= ( ω, 0, ζ, 0, ϕ₀ )_B₀, c_T :=gζ_Tm,

4

7 2 2

(16)

return ct_x:= (I_x,c₀,{c_t}_t_∈_I_x, c_T).

Dec(pk, sk_v := (I_v,k∗₀,{k_t∗}_t_∈_I_v), ct_x := (I_x,c₀,{c_t}_t_∈_I_x, c_T)) : if I_v⊆I_x, K:=e(c₀,k∗₀)· _t_∈_I

ve(ct,k∗t), returnm :=cT/K,

else return⊥.

[Correctness] If I_v ⊆I_x and _t_∈_I

vvtxt= 0, e(c0,k0∗)· t∈Ive(ct,k∗t) =

g−_Tωs0e +ζ· _t_∈_I

vg

δωvtxt+eωst

T =gT−ωs0e +ζ·g

δω(Pt∈_Ivvtxt)+eω(Pt∈_Ivst)

T =gT−ωs0e +ζ+ωs0e =gζT.

5.1.3 Security

Theorem 1 The proposed Type 1 IPE scheme is adaptively fully-attribute-hiding against chosen plaintext attacks under the DLIN assumption.

For any adversaryA, there exist probabilistic machinesF’s, whose running times are essen-tially the same as that ofA, such that for any security parameterλ, the advantage AdvIPE_A ,AH(λ)

is upper-bounded by the sum of the right hand of Eq. (1) and the right hand of Eq. (2). The sum is given by the total of (ν(12d2+ 6d+ 3) + 4d+ 6) advantages of DLIN forF algorithms, which are F machines with parameters (h, ι, p, j, l) as described in Lemmas 1 and 2. Here, ν is the maximum number ofA’s key queries.

Theorem 1 is proven based on Lemmas 1 and 2.

Proof. First, we execute a preliminary game transformation from Game 0 (original security

game in Definition 5) to Game 0’, which is the same as Game 0 except that flips a coinκ← {U 0,1} before setup, and the game is aborted in step 3 ifκ=s. We define thatAwins with probability 1/2 when the game is aborted (and the advantage in Game 0’ is Pr[A wins ]−1/2 as well). Sinceκ is independent froms, the game is aborted with probability 1/2. Hence, the advantage in Game 0’ is a half of that in Game 0, i.e., Adv_AIPE,AH,0(λ) = 1/2·AdvIPE_A ,AH(λ). Moreover, Pr[Awins] = 1/2·(Pr[Awins|κ= 0] + Pr[Awins|κ= 1]) in Game 0’ sinceκis uniformly and independently generated. As for the conditional probability withκ= 0, i.e., Pr[Awins|κ= 0], Lemma 1 (Eq. (1)) holds. As for the conditional probability withκ= 1, i.e., Pr[Awins|κ= 1], Lemma 2 (Eq. (2)) holds. Since AdvIPE_A ,AH(λ) = 2·Adv_AIPE,AH,0(λ) = Pr[A wins | κ = 0] + Pr[A wins | κ = 1]−1 = (Pr[Awins|κ = 0]−1/2) + (Pr[Awins|κ = 1]−1/2), we obtain

Theorem 1 from Lemmas 1 and 2.

Lemma 1 The proposed Type 1 IPE scheme is adaptively fully-attribute-hiding against chosen plaintext attacks under the DLIN assumption when κ= 0.

For any adversaryA, there exist probabilistic machinesF_1-0,F_1-1,F_1-2,F_2-1,F_2-2-1, . . . ,F_2-2-5, F3, whose running times are essentially the same as that of A, such that for any security pa-rameter λ,

Pr[A wins in Game 0 | κ= 0]−1/2≤AdvDLIN_F_1-0(λ) +AdvDLIN_F_1-1(λ) +d_p₌₁2_j₌₁AdvDLIN_F_1-2-_p_-_j(λ) _ν

h=1

AdvDLIN_F_2-_h_-1(λ) +d_p₌₁2_j₌₁

AdvDLIN_F_2-_h_-2-_p_-1-_j(λ) +AdvDLIN_F_2-_h_-2-_p_-2-_j(λ)+

l=1,...,d; l=p

AdvDLIN_F

2-h-2-p-3-j-l(λ) +Adv DLIN

F2-h-2-p-4-j-l(λ)

+AdvDLIN_F

2-h-2-p-5-j(λ)

+ ₂

j=1AdvDLINF3-j (λ) +, (1)

where F1-2-_p_-_j(·) :=F1-2(h, p, j,·),F2-_h_-1(·) :=F2-1(h,·),F2-_h_-2-_p_-1-_j(·) :=F2-2-1(h, p, j,·),

(17)

Proof outline (resp. proof) of Lemma 1 is given in Section 5.1.5 (resp. 5.1.6).

Lemma 2 The proposed Type 1 IPE scheme is adaptively fully-attribute-hiding against chosen plaintext attacks under the DLIN assumption when κ= 1.

For any adversaryA, there exist probabilistic machinesF_1-0,F_1-1,F_1-2,F_2-1,F_2-2-1, . . . ,F_2-2-5, F2-3-1, . . . ,F2-3-5,F2-4, whose running times are essentially the same as that of A, such that for any security parameter λ,

Pr[A wins in Game 0 | κ= 1]−1/2≤AdvDLIN_F_1-0(λ) +AdvDLIN_F_1-1(λ) +d_p₌₁2_j₌₁AdvDLIN_F_1-2-_p_-_j(λ) _ν

h=1

AdvDLIN_F_2-_h_-1(λ) +_ι3₌₂d_p₌₁2_j₌₁

AdvDLIN_F_2-_h_-_ι_-_p_-1-_j(λ) +AdvDLIN_F_2-_h_-_ι_-_p_-2-_j(λ)+

l=1,...,d; l=p

AdvDLIN_F_2-_h_-_ι_-_p_-3-_j_-_l(λ) +AdvDLIN_F_2-_h_-_ι_-_p_-4-_j_-_l(λ)

+AdvDLIN_F_2-_h_-_ι_-_p_-5-_j(λ)

+ ₂

j=1AdvDLINF2-4-j(λ)

+, (2)

where F1-2-_p_-_j(·) :=F1-2(h, p, j,·),F2-_h_-1(·) :=F2-1(h,·),F2-_h_-_ι_-_p_-1-_j(·) :=F2-_ι_-1(h, p, j,·),

F2-h-ι-p-2-j(·) :=F2-ι-2(h, p, j,·),F2-h-ι-p-3-j-l(·) :=F2-ι-3(h, p, j, l,·),F2-h-ι-p-4-j-l(·) :=F2-ι-4(h, p, j, l,·),F_2-_h_-_ι_-_p_-5-_j(·) :=F_2-_ι_-5(h, p, j,·)forι= 2,3,F_2-4-_j(·) :=F_2-4(j,·), νis the maximum number of A’s key queries and := (40d2ν+ 20dν+ 10ν+ 10d+ 10)/q.

Proof outline (resp. proof) of Lemma 2 is given in Section 5.1.7 (resp. 5.1.8).

5.1.4 Lemmas (and Problems) for the proof of Lemmas 1 and 2

Computational Problems and Assumptions for Proofs of Lemmas 1 and 2 While our IPE scheme uses 15 dimensional spaceV, our KP-ABE in Section 6.1 uses 14 dimensionalV. This 1-dimensional diﬀerence arises from the diﬀerence of the required security, fully-attribute-hiding for IPE but only payload-fully-attribute-hiding for KP-ABE. The security of our KP-ABE is proven using Problem 1-ABE and 2-ABE. Note that while these problems are made for KP-ABE, they are also key techniques or basic building blocks for the security proof of IPE. The security proofs for Problems 1-ABE and 2-ABE (Lemmas 23 and 24) are given in Appendix A.4. The security proofs of IPE and ABE are reduced to the security (intractability) of these problems.

We will introduce 5 computational problems on DPVS for our IPE, Problems 1-IPE, . . ., 5-IPE. These are classiﬁed into 3 types, ones based on Problem 1-ABE, ones based on Problem 2-ABE, and ones directly reduced from DLIN. Since the security of Problems 1-ABE and 2-ABE is proven using the indexing and consistent randomness ampliﬁcation techniques, the security of the former two types essentially depends on these techniques.

The security lemma of Problem 1-IPE for unbounded IPE is reduced to that of Problem 1-ABE (Lemma 32 in Appendix A.1.1), and the security lemmas of Problems 2-IPE and 4-IPE are reduced to that of Problem 2-ABE (Lemma 33 in Appendix A.1.2). The security proofs of the other problems (Problems 3-IPE and 5-IPE) are not based on Problems 1-ABE or 2-ABE, but can be directly reduced from the DLIN assumption.

Deﬁnition 13 (Problem 1-IPE) Problem 1-IPE is to guess β, given (param,B₀,B∗₀,B,B∗, e_β,₀,{e_β,t,i}_t₌₁_,...,d_;_i₌₁_,₂,e_β,₁,e₂)← GR _βP1-IPE(1λ, d), where